Skip to main content

Linux Kernel EUVDEUVD-2026-26655

| CVE-2026-43056 HIGH
Use After Free (CWE-416)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
7.1 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 03, 2026 - 07:39 vuln.today
CVSS changed
May 03, 2026 - 07:22 NVD
7.8 (HIGH)
Patch released
May 03, 2026 - 07:16 nvd
Patch available
Patch available
May 01, 2026 - 16:33 EUVD
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26655
Analysis Generated
May 01, 2026 - 15:00 vuln.today
CVE Published
May 01, 2026 - 14:15 nvd
HIGH 7.8

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

net: mana: fix use-after-free in add_adev() error path

If auxiliary_device_add() fails, add_adev() jumps to add_fail and calls auxiliary_device_uninit(adev).

The auxiliary device has its release callback set to adev_release(), which frees the containing struct mana_adev. Since adev is embedded in struct mana_adev, the subsequent fall-through to init_fail and access to adev->id may result in a use-after-free.

Fix this by saving the allocated auxiliary device id in a local variable before calling auxiliary_device_add(), and use that saved id in the cleanup path after auxiliary_device_uninit().

AnalysisAI

Use-after-free in Linux kernel's MANA network driver allows local authenticated attackers to corrupt memory and potentially execute code with kernel privileges. The flaw occurs when auxiliary_device_add() fails in add_adev(), triggering cleanup that frees memory still referenced by subsequent error-handling code. Patches available across stable kernel branches (6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (5th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public exploit identified at time of analysis.

Technical ContextAI

This vulnerability affects the Microsoft Azure Network Adapter (MANA) driver in the Linux kernel, specifically the auxiliary device initialization path. The Linux auxiliary bus framework allows kernel drivers to create logical sub-devices. During MANA auxiliary device registration, if auxiliary_device_add() fails, the error path calls auxiliary_device_uninit() which triggers the adev_release() callback. This callback frees the parent mana_adev structure that contains the embedded auxiliary_device. However, the cleanup code then continues to access adev->id through the now-freed pointer, creating a classic use-after-free condition. This represents a temporal memory safety violation where a reference outlives the object's lifetime. The vulnerability was introduced in commit a69839d4327d and affects kernel versions 6.2 onward until patched.

RemediationAI

Update to patched Linux kernel versions: 6.6.134, 6.12.81, 6.18.22, 6.19.12, or 7.0+ depending on your stable branch. Patches available from kernel.org stable tree (see https://git.kernel.org/stable/c/d88541ffd56d62a61e77209080001eddd4d69815 and related commits in references). The fix saves the auxiliary device ID to a local variable before device initialization, preventing access to freed memory in error paths. For Azure/Hyper-V environments unable to immediately patch, compensating controls include restricting local user access to systems with MANA drivers (reducing PR:L attack prerequisite), monitoring for kernel crashes in mana driver initialization paths, or temporarily disabling MANA driver loading if alternative networking is available (note: this breaks Azure accelerated networking, significantly impacting performance). Kernel address space layout randomization (KASLR) and memory protections may increase exploitation difficulty but do not prevent the underlying use-after-free. Prioritize patching over workarounds for production Azure workloads.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy